The Bank Cyberattacks: Is Your Money Safe?

Below:

Next story in Security

For the past two weeks, an unknown attacker or group of attackers
has disrupted access to the websites of five major American
banks: Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank
and PNC Bank.

Many customers have
had trouble reaching the sites to check their account
balances or move money around, thanks to what appears to be a
series of coordinated attacks.

It's not clear exactly who's behind the disruptions, despite the
claims of a previously unknown Islamist group, or even what sort
of methods they're using, but here's what we do know.

Hacktivist groups such as Anonymous often use
DDoS as a form of protest, effectively blockading the sites
of organizations without damaging them. Yet well-defended sites,
such as the banks presumably have, would normally be able to
blunt a DDoS attack.

"There's absolutely no risk to
customer information," said Dmitri Alperovitch, chief
technology officer of the security firm CrowdStrike. "They're
just not able to get to the site for a few hours."

Cluley agreed.

"I think the only impact of the DDoS attacks on customers is that
they may not be able to access their bank's website," Cluley
said. "It shouldn't pose any risk to their accounts other than
problems accessing them online."

Steve Santorelli, a researcher at Lake Mary, Fla.-based nonprofit
security firm Team Cymru, isn't so sanguine about the bank
attacks.

"There are three concepts to security: availability,
confidentiality and integrity," Santorelli said. "Any event that
compromises even just one of them can have complex repercussions
and also, of course, takes monitoring and response resources away
from any synchronized unauthorized logins to accounts."

It might just be possible that the service disruptions are a
smokescreen to cover for raids on customer accounts, though
experts disagree on how likely that is.

In the same way that the bank robbers in the 1969 crime caper
"The Italian Job" created a traffic jam (by hacking into a
computer that controlled traffic lights) to paralyze the police
response, the DDoS attacks could be meant to divert
digital-security personnel's attention away from protecting
information.

The FBI released an advisory in November 2011
warning of such scenarios, and even cited a form of banking
Trojan that was designed for such attacks.

"Nowadays it's commonplace to have criminals combine banking
Trojan attacks with DDoS attacks," said Mikko Hypponen, chief
security officer of Helsinki, Finland anti-virus firm F-Secure.
"When they score a big transfer from a company's or an
individual's accounts, they launch a DDoS against the online
bank.

"This accomplishes two things: 1) the victim can't log in to the
bank and see that he's been robbed 2) the bank staff is busy
fighting the DDoS and might miss the illegal transfers (although
in most cases it would be different people in the bank's
organization in charge of those things)."

Robert Graham, chief executive officer of Errata Security in
Atlanta, admitted that was a possibility, "but then pretty much
any speculation is possible."

"There is a question of the sort of DDoS attacks [taking place],"
Graham said. "Are they simply website requests, taking down the
websites? Or are they specific queries, trying to flood backend
transaction servers in an attempt to hide some other activity? We
need more information to figure that out."

"Honestly, I am not sure it would make sense for this sort of
crime," Wisniewski said. "If you were to use a DDoS as a
diversion, it would be used for you to get a foothold for a
targeted attack, not traditional banking fraud/Trojans."

Despite all of the publicity, none of the banks have said much
beyond apologize for the inconvenience to customers.

"What's the advantage of admitting you were hit by a DDoS
attack?" Graham said. "Banks are shy of litigation — they don't
admit anything."

"There is still a stigma, a perception, that customers do not
like their accounts being handled by a bank that is not 'safe,'"
Santorelli said. "Banks, like every other industry that has
embraced the internet, do not like bad publicity. ... It's not a
data breach, so it is not covered by the 'new data breach
notification' legislation in the U.S."

Wisniewski pointed out that the banks might be legally barred
from releasing details.

"There is likely an ongoing investigation by the FBI prohibiting
them from discussing any details publicly," Wisniewski said. "I
don't think there is any shame in [admitting being under attack],
but who knows — maybe they have something to hide."

Who's behind this?

Even with criminals ruled out, it's still tough at this stage to
know who's really behind the disruptions.

A previously unknown Islamist group calling itself the "Qassam
Cyberbrigades" or "Cyber Fighters of Izz al-din al-Qassam" has
posted messages in English and Arabic on
online forums claiming responsibility for the attacks, and
accurately predicted which banks were going to be hit.

The "Cyberbrigades," whose name refers to the military wing of
the Palestinian Islamist party Hamas, claim the attacks are
retaliation for the offensive YouTube clip "Innocence of
Muslims." They vow to continue the attacks until the video is
entirely removed from YouTube.

But anonymous national-security experts told NBC News last week
that it's unlikely that amateur hackers could have mounted such
massive DDoS attacks against well-protected websites of American
banks. Instead, they said, there's a more likely culprit: the
government of Iran.

Sen. Joe Lieberman, I-Conn., repeated that theory last week,
telling a C-SPAN interviewer that Iran was probably behind the
attacks.

Alperovitch said either theory was possible, though he doubted it
was a response to "Innocence of Muslims."

"We believe it's either a hacktivist group, or what Senator
Lieberman has declared," he said. "It would take months of
planning to organize this."

Cluley, on the other hand, thought it best to gather evidence
first.

"Any joker can post messages on the Internet claiming to be
responsible — but that's very different from finding a smoking
gun," Cluley said. "We should all be careful about jumping to
conclusions or pointing fingers in particular directions until
convincing evidence is presented."

Wisniewski didn't think the scale of attacks necessarily pointed
at a nation-state.

"I have not seen nor heard of any serious evidence that Iran is
behind these attacks," he said. "Any criminal with a wish to
cause mischief certainly could. DDoS may not trivial at this
scale, but it is relatively cheap to rent
very large numbers of bots."

The Jester, a well-known "patriotic hacker," put up a blog
posting earlier this week detailing an Internet Relay Chat
conversation he had with a botnet renter. The Jester
pretended to be an Islamist friend of the Qassam
Cyberbrigades, and was given a price of $200 for a 1,000-hour
DDoS attack.

Independent security expert Dancho Danchev does think the attack
may have come from Iran — but not from the Iranian government.

On his blog Friday, Danchev showed what he said was evidence that a
young Iranian woman began a grassroots hacktivist campaign by
posting a link from her Facebook page to a download. The
download links have since spread to websites and forums
frequented by Islamists.

The download contains a simple "htm" file, which displays page
housed on the user's own computer in a Web browser. The page
contains a message in Arabic and English, a list of targets and a
simple button. Pushing the button launches an attack from the
user's computer against the bank websites.

Danchev said the tool being used was a version of a free
server-load-testing application called the
Low Orbit Ion Cannon, which the hacktivist group Anonymous
has used in the past.

But knocking a major bank's website offline would take many times
the firepower that any hacktivist group would normally possess.

"The level of sophistication is moderate to low," Alperovitch
said. "What's interesting is the volume."

Threatpost, the consumer-oriented blog of Russian security firm
Kaspersky Lab, said some of the traffic hitting the banks'
servers reached 100 gigabits per second, as
opposed to the regular DDoS attack volume of 5 to 10 gigabits
per second. It did not cite its source.

"Someone clearly had motivation to put this together,"
Alperovitch told SecurityNewsDaily. "It's unlikely that a kid
would make that much effort. The only thing we know at this point
is that it's organized and whoever's behind it has spent a lot of
effort."

Graham wasn't so certain.

"Any joker even without the right tools can disrupt a heavily
protected site," he said.

How can you protect yourself?

Again, if this is really just a DDoS attack, the banks' customers
are not in much danger of losing money or personal information.

But there are still basic precautions that any online banking
user should take, regardless of the present danger.

"If you don't need
Java and Adobe software, uninstall it, although many banks
require Java," he added. "Of course, use an up-to-date browser."

All those tips will protect your personal information and screen
out malware, but there's still the chance a smart banking Trojan
could get in.

"If you are really worried," Santorelli said, "use a
dedicated clean machine to access your accounts and never use
it for anything else. ... if customers prevent anyone stealing
their banking credentials in the first place, they have little to
fear other than the inconvenience of not being able to get to
their online accounts."